Understand Microsoft Defender additional protections
Threat protection for Azure network layer
Microsoft Defender for Cloud network-layer analytics is based on sample IPFIX data, which are packet headers collected by Azure core routers. Based on this data feed, Defender for Cloud uses machine learning models to identify and flag malicious traffic activities. Defender for Cloud also uses the Microsoft Threat Intelligence database to enrich IP addresses.
Some network configurations restrict Defender for Cloud from generating alerts on suspicious network activity. For Defender for Cloud to generate network alerts, ensure that:
Your virtual machine has a public IP address (or is on a load balancer with a public IP address).
Your virtual machine's network egress traffic isn't blocked by an external IDS solution.
Threat protection for Azure Cosmos DB (Preview)
The Azure Cosmos DB alerts are generated by unusual and potentially harmful attempts to access or exploit Azure Cosmos DB accounts.
Display Azure WAF alerts in Microsoft Defender for Cloud
Azure Application Gateway offers a web application firewall (WAF) that provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. The Application Gateway WAF is based on Core Rule Set 3.0 or 2.2.9 from the Open Web Application Security Project. The WAF is updated automatically to protect against new vulnerabilities.
If you have a license for Azure WAF, your WAF alerts are streamed to Defender for Cloud with no extra configuration needed.
Display Azure DDoS Protection alerts in Microsoft Defender for Cloud
Distributed denial of service (DDoS) attacks are known to be easy to execute. They've become a great security concern, particularly if you're moving your applications to the cloud. A DDoS attack attempts to exhaust an application's resources, making the application unavailable to legitimate users. DDoS attacks can target any endpoint that can be reached through the internet. To defend against DDoS attacks, purchase a license for Azure DDoS Protection and ensure you're following application design best practices. DDoS Protection provides different service tiers.
Display Azure Microsoft Defender for Cloud recommendations in Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that supports various deployment modes including log collection, API connectors, and reverse proxy. It provides rich visibility, control over data travel, and sophisticated analytics to identify and combat cyberthreats across all your Microsoft and third-party cloud services.
If you've enabled Microsoft Defender for Cloud Apps, and selected the integration from within Microsoft Defender for Cloud's settings, your hardening recommendations from Microsoft Defender for Cloud will appear in Defender for Cloud Apps with no extra configuration needed.